Payment Card Industry Data Security

Standards (PCI DSS) https://www.pcisecuritystandards.org/merchants/self_assessment_form.php

Agenda

• What is PCI DSS?

• What does PCI Standards Mean for you…

• 2 Basic Tips for Compliance

• Quarterly Scans and Annual Questionnaire Requirements

• Completing the Attestation & Questionnaire B

What is PCI?

• The Payment Card Industry Data Security Standard (PCI DSS) represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information.

• The standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.

What PCI Standards Mean for You…

• As a merchant, you are responsible for preventing theft of cardholder data.

• You need to continuously assess your operations, and fix any vulnerabilities that are identified.

• In operational terms, it means that you are making sure your customers' payment card data is being kept safe for every transaction, and that they – and you – can have confidence that they're protected against the pain and cost of data breaches.

And if DePaul is not compliant, it could be disastrous:

– Just one incident can severely damage the university’s

reputation and our ability to conduct credit card business – Account data breaches can lead to catastrophic loss of

revenue, business relationships and standing in our community

– Possible negative financial consequences also include:

• Lawsuits • Insurance claims • Cancelled accounts • Payment card issuer fines • Government fines

PCI Compliance by University Department

Treasurer’s Office

Information Systems

Financial Affairs

Internal Audit

Office of Institutional Compliance

Office of General Counsel

Departments having a stake in assuring Compliance and avoiding Failures

2 Basic Tips for

Compliance Validation

• Make sure you never store Sensitive Authentication Data (includes the full track contents of the magnetic stripe or chip, card verification codes and values, PINs and PIN blocks).

• Take inventory of all the reasons and places you

store this data. If the data doesn’t serve a valuable business purpose, consider eliminating it. If you don’t need it, don’t store it!

Quarterly Scans and

Annual Questionnaire

DePaul Compliance Requirements for PCI

• Security Metrics scans DePaul IPs quarterly looking for Vulnerabilities.

• The Annual PCI DSS Self-Assessment Questionnaire (SAQ v2.0) is a validation tool intended to assist you in self-evaluating our compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Annual Attestation & Questionnaire

The PCI DSS SAQ consists of the following components:

• Attestation of Compliance: The Attestation is your self-certification that you are eligible to perform and have actually performed a PCI DSS self-assessment.

• Questions correlating to the PCI DSS requirements, appropriate for service providers and merchants.

Selecting the SAQ and Attestation that

Best Apply to Your Area

There are five SAQ categories, briefly described in the table below and selected SAQs detailed in the following slides.

SAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial- out terminal merchants with no electronic cardholder data storage C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

DePaul Merchants fall into category A,B, or C.

SAQ B – Merchants with Only Imprint Machines or

Only Standalone, Dial-Out

Terminals. No Electronic Cardholder Data Storage.

SAQ B has been developed to address requirements applicable to merchants who process cardholder data only via imprint machines or standalone, dial-out terminals.

SAQ B merchants confirm that: • You use only an imprint machine and/or standalone, dial-out terminals (connected

via a phone line to your processor) to take your customers’ payment card information;

• The standalone, dial-out terminals are not connected to any other systems within DePaul’s environment;

• The standalone, dial-out terminals are not connected to the Internet; • You do not transmit cardholder data over a network (either an internal network or

the Internet); • You retain only paper reports or paper copies of receipts with cardholder data, and

these documents are not received electronically; and • You do not store cardholder data in electronic format.

PCI DSS Compliance – Completion Steps

• Assess your environment for compliance with the PCI DSS.

• Complete the Self-Assessment Questionnaire according to the instructions in the Self-Assessment Questionnaire Instructions and Guidelines.

• Complete the Attestation of Compliance in its entirety.

• Submit the SAQ, and the Attestation of Compliance, along with any other requested documentation, to the Treasurer’s office.

• The Treasurer’s Office and Information Services can assist you if you have questions.

What Treasury does with all these Questionnaires?

SAQ A (Dept.)

SAQ B (Dept.)

SAQ C (Dept/IT)

Treasurer’s Office

SAQ C (University)

Acquirer (Elavon)

SAQ B – Stand Alone, Dial-Out

Terminals

Protect Cardholder Data

Implement Strong Access Control Measures Requirement 9: Restrict physical access to cardholder

data

Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses

information security for all personnel

Attestation of Compliance, SAQ B

STOP

• You have completed Questionnaire B

• Continue with Section on Compensating Controls only if you answered NO to any of the questions.

Compensating Controls

Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.

Compensating controls must satisfy the following criteria:

1. Meet the intent and rigor of the original PCI DSS requirement.

2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.)

3. Be “above and beyond” other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.)

Appendix C: Compensating Controls

Example: Compensating Controls